Installation
With Go 1.20+
If you have Go 1.20+, you can directly install Cosign by running:
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
The resulting binary will be placed at $GOPATH/bin/cosign
(or $GOBIN/cosign
, if set).
With the Cosign binary or rpm/dpkg package
Download the binary for your platform from the Cosign releases page.
# binary
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
# rpm
LATEST_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ")
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-${LATEST_VERSION}-1.x86_64.rpm"
sudo rpm -ivh cosign-${LATEST_VERSION}-1.x86_64.rpm
# dkpg
LATEST_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ")
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_VERSION}_amd64.deb"
sudo dpkg -i cosign_${LATEST_VERSION}_amd64.deb
Homebrew/Linuxbrew
If you are using Homebrew (or Linuxbrew), you can install Cosign by running:
brew install cosign
Arch Linux
If you are using Arch Linux, you can install Cosign by running:
pacman -S cosign
Alpine Linux
If you are using Alpine Linux edge, with the community repository enabled,
you can install cosign
by running:
apk add cosign
Nix
If you are using Nix, you can install Cosign by running:
nix-env -iA nixpkgs.cosign
NixOS
If you are on NixOS, you can install Cosign by running:
nix-env -iA nixos.cosign
GitHub Actions
Cosign can be installed in your GitHub Actions using the Cosign installer on the GitHub Marketplace.
uses: sigstore/cosign-installer@main
You can specify a specific release of Cosign:
uses: sigstore/cosign-installer@main
with:
cosign-release: "v2.0.2" # optional
GitLab
Cosign can be installed in your CI/CD pipeline by using a before script in your job:
before_script:
- apk add --update cosign
Container Images
Signed release images are available at ghcr.io/sigstore/cosign/cosign
.
They are tagged with the release name (for example, ghcr.io/sigstore/cosign/cosign:v2.0.2
).
You can get the latest release with crane ls ghcr.io/sigstore/cosign/cosign | tail -1
. To list all versions, signatures and SBOMs:
$ crane ls ghcr.io/sigstore/cosign/cosign
...
sha256-a95d7c4ab27e48aaf89253e0703014709129f010578be809b6c95ccee908fa1b.sbom
sha256-a95d7c4ab27e48aaf89253e0703014709129f010578be809b6c95ccee908fa1b.sig
...
v2.0.2
...
CI Built containers are published for every commit at ghcr.io/sigstore/cosign/cosign/ci/cosign
.
They are tagged with the commit.
They can be found with crane ls
:
$ crane ls ghcr.io/sigstore/cosign/cosign/ci/cosign
749f896
749f896bb378aca5cb45c5154fc0cb43f6728d48
Further details and installation instructions for crane
are available via https://github.com/google/go-containerregistry/tree/main/cmd/crane
Verifying Cosign Releases
Before using a downloaded Cosign binary, it’s important to verify its authenticity to ensure that it hasn’t been tampered with. The Cosign binary is signed both with keyless signing and an artifact key. You first need to verify Cosign with the artifact key, since you will need Cosign to verify the keyless signature.
Verifying Cosign with artifact key
Downloading The Update Framework (TUF) client
Before using Cosign, you will need to download and also initialize the TUF environment which allows you to ensure that your software artifacts are distributed securely and that any updates to these artifacts are signed and verified.
To do this, install and use go-tuf’s CLI tools:
go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest
Then, obtain trusted root keys for Sigstore. You will use the 5th iteration of Sigstore’s TUF root to start the root of trust, due to a backward incompatible change. The TUF client uses this root to start a chain of roots, and will download the latest, unexpired root as part of its workflow.
curl -o sigstore-root.json https://raw.githubusercontent.com/sigstore/root-signing/main/ceremony/2022-10-18/repository/5.root.json
Note that you can verify the 5th TUF root against the 1st TUF root, which was signed in a publicly documented signing ceremony. However, due to the backward incompatible change, this requires manual verification steps. See the Sigstore root repo for more information.
Initializing TUF Environment
Then initialize the tuf client with the previously obtained root key and the remote repository;
tuf-client init https://tuf-repo-cdn.sigstore.dev sigstore-root.json
Verifying with key
You will retrieve the artifact verification key from the trusted TUF repository and use it to verify the Cosign release.
tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > artifact.pub
curl -o cosign-release.sig -L https://github.com/sigstore/cosign/releases/download/<version>/cosign-<os>.sig
base64 -d cosign-release.sig > cosign-release.sig.decoded
curl -o cosign -L https://github.com/sigstore/cosign/releases/download/<version>/cosign-<os>
openssl dgst -sha256 -verify artifact.pub -signature cosign-release.sig.decoded cosign
The <version>
and <os>
placeholders in the URLs should be replaced with the specific version and operating system that you want to download.
Verifying Cosign with identity-based verification
Once you have verified Cosign with an artifact key, you can use Cosign to verify future releases of Cosign using identity-based verification.
Verifying Cosign binary
To verify a Cosign binary, you will need to fetch the signature and certificate from GitHub.
curl -o cosign-release.sig -L https://github.com/sigstore/cosign/releases/download/<version>/cosign-<os>-keyless.sig
base64 -d cosign-release.sig > cosign-release.sig.decoded
curl -o cosign-release.pem -L https://github.com/sigstore/cosign/releases/download/<version>/cosign-<os>-keyless.pem
base64 -d cosign-release.pem > cosign-release.pem.decoded
curl -o new-cosign -L https://github.com/sigstore/cosign/releases/download/<version>/cosign-<os>
cosign verify-blob new-cosign --certificate cosign-release.pem.decoded --signature cosign-release.sig.decoded \
--certificate-identity keyless@projectsigstore.iam.gserviceaccount.com --certificate-oidc-issuer https://accounts.google.com
Verify Cosign in container image
You can also verify a container image of Cosign. You can use crane to get the latest version of Cosign. You can skip the first two steps if you already have the container image.
COSIGN_VERSION=$(crane ls ghcr.io/sigstore/cosign/cosign | tail -1)
COSIGN_DIGEST=$(crane digest ghcr.io/sigstore/cosign/cosign:$COSIGN_VERSION)
cosign verify ghcr.io/sigstore/cosign/cosign@$COSIGN_DIGEST \
--certificate-identity keyless@projectsigstore.iam.gserviceaccount.com --certificate-oidc-issuer https://accounts.google.com